Field of the Invention
The present invention relates to artificial intelligence systems, and more particularly to data breach detection systems with adaptive “smart agents” that learn, adapt and evolve with the behaviors of their corresponding subjects by the transactions they engage in, and that can evaluate if a data breach has occurred at a “point-of-compromise” somewhere in the payment network.
Background
Several major retailers have recently announced that “hackers” have breached their systems and gotten away with millions of cardholder accounts and passwords. The retailers inadequately advise their customers to change their bankcard passwords, and the involved card issuers are independently initiating wholesale card replacements. Not good, for anyone.
Faster detections of data breaches are needed to limit the damage. The database breaches just keep on coming, resulting in painful losses and brand damage for issuers and merchants. Cybercriminals are using sophisticated hacking, skimming, employee-insider, and malware methods to hack into supposedly secure systems and steal payment card data and credentials. The millions of compromised payment cards will go stale in a few days or weeks, so the criminals quickly sell the data on the black market. These get converted into counterfeit cards that will work at point of sale (POS) terminals and online, mobile, or call-center card-not-present (CNP) channels.
TABLERecent Card Data CompromisesCompanyAnnouncedMethodRecords compromisedP.F. Chang'sJune 2014External -Undetermined quantityChina Bistromalwareof payment card data.Home DepotMay 2014InternalThirty thousand customerrecords including name,address, phone number,payment card number,expiration date.Spec'sMarch 2014External -Payment card and/ormalwarechecking accountinformation for550,000 customers.Michael'sJanuaryExternal -Payment card data2014malwarefor 3 millioncustomers.TargetDecemberExternal -Payment card data2013malwarefor 40 millionconsumers as wellas personal informationfor another 70 millionTarget customers.CorporateCarNovemberExternal -Attackers were able stealOnline2013hackingan unencrypted databasecontaining PII and creditcard details for 850,000high-net-worth individualsand celebrities.AdobeOctoberExternal -Personal information of2013hacking2.9 million customers,including names and creditand debit card numbers;source code for popularAdobe products also stolen.
Proactive detection of data compromises can be very challenging for issuers and merchants alike. When the cardholders themselves detect unauthorized activity on their card a month after the fact when they get their statements, their usual first step is to contact the issuer to dispute the charge.
Many large issuers have analytic systems already in place that aggregate consumer disputes, and try to tie them back to some common point, e.g., a retailer. But millions of consumers each initiating multiple transactions per day on their cards complicates determining the locations of any data compromises. Smaller issuers are more dependent on the point-of-compromise alerts that come from the payment networks. These alerts often lag the large issuers' knowledge of a breach by three to four weeks due to the overhead incurred by networks' obligation to be 100% positive of the breach location before raising the red flag.
The best analytic approaches to detecting data breaches employ machine learning and artificial intelligence technologies to inspect possibly fraudulent reports, and attempt to tie the seemingly random fraud back to some common point-of-purchase. The ideal models learn and train themselves on an ongoing basis, to accelerate and quicken compromise detection.
Data breaches are disruptive, their negative impacts have steadily increased for the last five years as cybercriminals' tactics escalate in sophistication. Such breaches are very costly. Merchants suffer from brand damage and revenue loss. Target's fourth quarter earnings plunged significantly as shoppers went elsewhere in the wake of Target's breach.
The financial impacts are compounded in the form of fines for being out of compliance with the Payment Card Industry Data Security Standards (PCI-DSS).
The card issuers bear the liability for the fraud losses that result from the counterfeit cards that are created using data stolen in a breach. Cardholders will often also reduce their use of the affected cards, further driving loses in revenues for the issuer. Recently, as many as 38% of American consumers who experienced fraud subsequently reduced their use of the impacted card.
When it comes to fraud detection, time is money. If a data compromise can be detected quickly, issuers can take more effective steps to minimize both their losses and the direct impact on consumers.
Issuers now employ a number of creative solutions to the problem. One top-five issuer has a $10-million budget dedicated to infiltrating the underground forums where criminals sell stolen data. They buy back their own card numbers hoping to use the experience identify the compromise locations more quickly.
Analytics are now being used by more firms. Issuers, payment networks, and processors are continually looking for better more effective methods of compromise detection.
A patchwork of state regulations obliges businesses in forty-seven states to notify consumers of data compromises. But there are no equivalent set of mandates for businesses to provide the public with the details of how the breaches occur. Target breach came under a bright very public spotlight, and a clearer picture of the criminals' methodology came to light.
In mid-2013, Fazio Mechanical, one of Target's small heating and air conditioning (HVAC) vendors, unwittingly downloaded a keylogging Trojan. Such malware records data entered by users and sends the captured data to the cybercriminals' command and control center. Fazio was using a free, consumer-grade anti-malware software package that only did on-demand scans, so the malware went undetected. The keylogging Trojan captured the data they keyed into the compromised workstation, including the vendor's credentials used for logging into Target's Ariba billing system.
That enabled the criminals to log into Target's billing system, and to hack their way over to a POS production data. A clear breakdown in Target's data security practices. Once there, they implemented a variety of BlackPOS malware, a memory scraping malware that is available for purchase on underground web forums for around $2,000. On Nov. 27, 2013, the BlackPOS began collecting data. On December 2, the criminals began the data exfiltration process. The criminals began testing and trying the data during the first week of December. Once they determined the data was valid and useable, they began posting significant quantities of data to underground forums sometime around the second week of December. On December 15, Target removed the bulk of the malware. But it missed a portion of the malware in the initial scrub. The malware removal was completed on December 18.
The Target breach was particularly difficult to detect for a number of reasons, even given the large number of cards that were compromised and subsequently sold on the black market. The breach took place around Black Friday, a time when fraud rates typically escalate along with purchase volume. The strip mall proximity of many merchants at which a consumer will shop sequentially can create false echoes that can lead the issuer to initially attribute the breach to the wrong culprit. The sheer volume of breaches that are taking place these days can often lead to the same card number being sold multiple times in the black market, creating another challenge in isolating the breaches to a particular merchant. All these issues were further magnified in the Target breach. The criminals also made available the zip code of the store in which the compromised card data was originally used by the genuine consumer. With this data available to them, the criminals were able to manufacture counterfeit cards that could be used in the same geographic location, further impeding issuers' detection efforts.
Herein we use the term “smart agent” to describe our own unique construct in a fraud detection system. Intelligent agents, software agents, and smart agents described in the prior art and used in conventional applications are not at all the same.
Sometimes all we know about someone is what can be inferred by the silhouettes and shadows they cast and the footprints they leave. Who is behind a credit card or payment transaction is a lot like that. We can only know and understand them by the behaviors that can be gleaned from the who, what, when, where, and (maybe) why of each transaction and series of them over time.
Cardholders will each individually settle into routine behaviors, and therefore their payment card transactions will follow those routines. All cardholders, as a group, are roughly the same and produce roughly the same sorts of transactions. But on closer inspection the general population of cardholders will cluster into various subgroups and behave in similar ways as manifested in the transactions they generate.
Card issuers want to encourage cardholders to use their cards, and want to stop and completely eliminate fraudsters from being able to pose as legitimate cardholders and get away with running transactions through to payment. So card issuers are challenged with being able to discern who is legitimate, authorized, and presenting a genuine transaction, from the clever and aggressive assaults of fraudsters who learn and adapt all too quickly. All the card issuers have before them are the millions of innocuous transactions flowing in every day.
What is needed is a fraud management system that can tightly follow and monitor the behavior of all cardholders and act quickly in real-time when a fraudster is afoot.